This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to shun/block an IP address for a period of time

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to shun/block an IP address for a period of time

njoyzrd
L1 Bithead

‎10-12-2013 07:23 AM

I've worked with several traditional IPS in the past and there is always a way to create rules that shun or block a source IP address for some period before automatically resetting.  It is especially useful for stopping automated bots that are just probing for flaws across the Internet.

Specifically, I'd like to create a rule that will monitor for failed login attempts to a web server located in a DMZ.  After 5 failed attempts in 2 minutes, I want to block the source IP address for 10 minutes.

Can this be done?

Thanks in advance for any help!

Labels:
4 REPLIES 4

panos
L6 Presenter

‎10-12-2013 12:43 PM

Hi,

You can change behaviour of signatures in vulnerability as shown in the picture (block for a periodic time).But for attempt count I don't think there is a way to do.Maybe you can write a custom signature.

Also check

https://live.paloaltonetworks.com/docs/DOC-1367

sc.png

0 Likes Likes

kdd
L4 Transporter

‎10-13-2013 11:55 PM

Hi njoyrzd,

I would start with creating a schedule object under the objects tab. After this the schedule object can be used in a rule (under Options).

if it is not shown then it has to be enabled.

option.PNG.png

right after this you can use the schedule object in the options field of the rule.

opt.PNG.png

Hope this helps

Regards Klaus

0 Likes Likes

jvalentine
L7 Applicator

‎10-14-2013 08:49 AM

Some of the "brute force" signatures have a picture of a pencil next to them, which allows you to Edit Time Attributes.

If you would like to shun based on an IPS signature that doesn't have a built-in time attribute, you can create a simple custom "combination" vulnerability signature.  Create a new custom vulnerability signature, enter some basic information on the "Configuration" tab (name, etc.), then on the signature type, choose "Combination".  Now, select the signature you wish to add some time attributes to.  (This example uses Threat ID 10005).

Next, go to the "Time Attribute" tab and add the # of hits within the # of seconds, and then how you wish to aggregate the data.

Now, with your new signature, you can change the action to "block-ip" (aka shun).

0 Likes Likes

ISortOfKnowIT
L0 Member
In response to jvalentine

‎11-24-2021 10:08 AM - edited ‎01-13-2022 09:41 AM

I apologize for the ignorant question, but I can't seem to find reference to what Threat ID 10005 denotes. Is this failed logins? 

0 Likes Likes
  • 5943 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks